added statement to allow GitHub OIDC to assume ssoreadonly role (#6296)

ministryofjustice · Feb 22, 2024 · 22fc526 · 22fc526
1 parent 1f6cddd
commit 22fc526
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf
@@ -610,6 +610,7 @@ data "aws_iam_policy_document" "oidc_assume_role_member" {
       format("arn:aws:iam::%s:role/modify-dns-records", local.environment_management.account_ids["core-network-services-production"]),
       format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access", local.environment_management.modernisation_platform_account_id),
       format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access", local.environment_management.modernisation_platform_account_id),
+      format("arn:aws:iam::%s:role/ModernisationPlatformSSOReadOnly", local.environment_management.aws_organizations_root_account_id),
       # the two below are required as sprinkler and cooker have development accounts but are in the sandbox vpc
       local.application_name == "sprinkler" ? format("arn:aws:iam::%s:role/member-delegation-garden-sandbox", local.environment_management.account_ids["core-vpc-sandbox"]) : format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access", local.environment_management.modernisation_platform_account_id),
       local.application_name == "cooker" ? format("arn:aws:iam::%s:role/member-delegation-house-sandbox", local.environment_management.account_ids["core-vpc-sandbox"]) : format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access", local.environment_management.modernisation_platform_account_id)